Skip to main content
Trending Topics
Featured Insights
View All Services
View All Industries
About Us Overview
    • Insights
    • Cookies Consent: CNIL Steps in with a Proposal for Compliance
      January 14, 2020

      Cookies Consent: CNIL Steps in with a Proposal for Compliance

      Generate PDF
      Share

      On January 14, the French data protection authority (the "CNIL") released a proposal for a set of practical requirements for placing cookies in web-based and mobile application environments (the "Recommendations").

      The Recommendations1 follow the CNIL’s publication in July 2019 of guidelines summarizing the applicable cookies framework and its later consultation with stakeholders in the fall. The Recommendations are open to public consultation until February 25, 2020. Interested parties can vote on or contribute feedback on the Recommendations on the CNIL website.  

      Here is a summary of the ingredients in the Recommendations’ "recipe" for compliance:

      • To start with, use good flour, i.e., a cookies management tool.  The tool should be deployed on websites and mobile applications in a manner that will collect a valid consent. This is stating the obvious. However, getting the main ingredient right is not always that easy, especially for the privacy aspects of cookies.2
      • Chocolate chip cookies and snickerdoodles are not the same. Provide a clear, concise description of the cookies’ purposes. The Recommendations suggest a granular categorization of cookies (e.g., differentiating between personalized and geo-located advertising and specifically indicating if cookies are used for social media sharing). They also provide examples of acceptable design for a layered approach. As a best practice (and to please the gourmets asking for all of the details of your recipe), the Recommendations encourage providing details on the nature of the personal data collected for each purpose.
      • Homemade or store-bought? Who baked them? Provide an exhaustive list of controllers and scope of consent. The Recommendations advocate for having information on all relevant controllers available to users both at the level of the cookies management tool and as a separate section on the website/mobile application. This information should be updated periodically and accurate. Re-consent of users should be obtained whenever substantial changes are made to the list (though the Recommendations are not specifying what would be considered substantial changes).
      • Not everyone will eat your cookies. Record user preferences, including refusal to consent. The Recommendations give similar temporal consideration to consent and refusal to consent. In other words, once a user refuses to consent to some or all cookies, his or her choice must be respected for the same period as that for those users who consented to the placing of cookies. This should prevent repeated attempts to obtain user consent following a refusal.
      • What will you be eating next? Recognize that browser settings in the future may likely allow compliance with the EU framework. Recognizing that most browsers are not yet ready to deploy a cookies management settings system in line with the EU framework, the Recommendations nevertheless are calling for development in this area and providing some best practices for it.

      The Recommendations are the latest recipe in the cookbook that organizations can reference to better understand what needs to be done to prepare their cookies' practices to conform with the existing ePrivacy directive and the EU General Data Protection Regulation. With many different recipes out there (such as those of the UK data ICO3, the Dutch APG,4 the Spanish AEPD,5 and the German Association for Data Protection and Data Security6) and enforcement actions starting (e.g., the recent case where the Belgian DPA7 issued a fine amounting to 1% of the organization’s annual turnover), preventing  indigestion will require some consideration of the best recipe for the organization and then carefully following it.

      1 Currently only available in French.

      2 For some examples of challenges ahead of consent management platforms, see,  "Dark Patterns after the GDPR: Scrapping Consent Pop-ups and Demonstrating Their Influence" (M. Nouwens, I. Liccardi, M. Veale, D. Karger and L. Kagal), 2020.

      3 https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/

      4 https://autoriteitpersoonsgegevens.nl/nl/nieuws/websites-moeten-toegankelijk-blijven-bij-weigeren-tracking-cookies

      5 https://www.aepd.es/sites/default/files/2019-12/guia-cookies_1.pdf

      https://www.gdd.de/aktuelles/startseite/eugh-urteil-mit-starker-breitenwirkung

      7 https://www.gegevensbeschermingsautoriteit.be/sites/privacycommission/files/documents/BETG_12-2019_NL.PDF

      Related Content

      Related Services & Industries

      Stay Up To Date With Our Insights

      See how we use a multidisciplinary, integrated approach to meet our clients' needs.
      Subscribe

      Follow us

      © 2024 Mayer Brown

       

       

      Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC (“PKWN”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website.

      “Mayer Brown” and the Mayer Brown logo are trademarks of Mayer Brown.

      Attorney Advertising. Prior results do not guarantee a similar outcome.